ISO/IEC 29110-3-2:2018

INTERNATIONAL ISO/IEC
STANDARD 29110-3-2
First edition
2018-04
Systems and software engineering —
Lifecycle profiles for Very Small
Entities (VSEs) —
Part 3-2:
Conformity certification scheme
Ingénierie des systèmes et du logiciel — Profils de cycle de vie pour
très petits organismes (TPO) —
Partie 3-2: Programme de certification de la conformité
Reference number
©
ISO/IEC 2018
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Symbols and abbreviated terms . 2
5 General requirements . 3
5.1 General . 3
5.2 Management of impartiality . 3
6 Structural requirements . 3
7 Resource requirements . 3
7.1 Certification body personnel . 3
7.1.1 General. 3
7.1.2 Management of competence for personnel involved in the certification process . 3
7.1.3 Contract with the personnel . 3
7.1.4 Personal attributes . . 3
7.1.5 Generic SEP competence requirements . 4
7.1.6 Competence requirements for Personnel granting certification . 4
7.1.7 Competence requirements for SEP auditors. 5
7.2 Resources for evaluation . 7
8 Process requirements . 7
8.1 General . 7
8.2 Application . 7
8.3 Application review . 8
8.4 Evaluation . 8
8.4.1 Evaluation Plan . . . 8
8.4.2 Audit plan . 8
8.4.3 Audit team selection and assignments .10
8.4.4 Determining audit time .10
8.4.5 Multi-site sampling .11
8.4.6 Communication of audit team tasks.11
8.4.7 Communication concerning audit team members .11
8.4.8 Communication of audit plan.11
8.4.9 Conducting on-site and remote audits .11
8.4.10 Initial certification audit .15
8.4.11 Initial certification audit conclusions .16
8.4.12 Personnel for evaluation .16
8.4.13 Information for evaluation .17
8.4.14 Resources for evaluation .17
8.4.15 Use of evaluations results completed prior to the application for certification .17
8.4.16 Nonconformities .17
8.4.17 Additional evaluation tasks .17
8.4.18 Results of evaluation .17
8.5 Review .17
8.6 Certification decision .17
8.6.1 General.17
8.6.2 Actions prior to making a decision .17
8.7 Certification documentation .18
8.8 Directory of certified VSEs .18
8.9 Surveillance.18
8.10 Changes affecting certification .18
© ISO/IEC 2018 – All rights reserved iii

8.11 Termination, reduction, suspension or withdrawal of certification .19
8.12 Records .19
8.13 Complaints and appeals .19
9 Management system requirements .19
Annex A (informative) Considerations for the audit programme, scope or plan .20
Bibliography .22
iv © ISO/IEC 2018 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the WTO
principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary
information.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 7, Software and systems engineering.
A list of all parts in the ISO/IEC 29110 series can be found on the ISO website.
© ISO/IEC 2018 – All rights reserved v

Introduction
Very Small Entities (VSEs) around the world are creating valuable products and services. For the
purpose of ISO/IEC 29110, a Very Small Entity (VSE) is an enterprise, an organization, a department
or a project having up to 25 people. Since many VSEs develop and/or maintain system elements and
software components used in systems, or sold to be used by others, a recognition of VSEs as suppliers of
high quality products is required.
According to the Organization for Economic Co-operation and Development (OECD) SME and
Entrepreneurship Outlook report (2005) ‘Small and Medium Enterprises (SMEs), i.e. Enterprises
which employ fewer than 250 persons, constitute the dominant form of business organization in all
countries world-wide, accounting for over 95 % and up to 99 % of the business population depending on
country’. The challenge facing OECD governments is to provide a business environment that supports
the competitiveness of this large heterogeneous business population and that promotes a vibrant
entrepreneurial culture.
From studies and surveys conducted, it is clear that the majority of International Standards do not
address the needs of VSEs. Implementation of and conformance with these standards is difficult, if not
impossible. Subsequently VSEs have no, or very limited, ways to be recognized as entities that produce
quality systems/system elements including software in their domain. Therefore, VSEs are often cut off
from some economic activities.
It has been found that VSEs find it difficult to relate International Standards to their business needs
and to justify the application of standards to their business practices. Most VSEs can neither afford
the resources, in terms of number of employees, expertise, budget and time, nor do they see a net
benefit in establishing systems or software lifecycle processes. To rectify some of these difficulties,
a set of guidelines has been developed according to a set of VSE characteristics. The guidelines are
based on subsets of appropriate standards processes, activities, tasks, and outcomes, referred to as
Profiles. The purpose of a profile is to define a subset of International Standards relevant to the VSEs'
context; for example, processes, activities, tasks, and outcomes of ISO/IEC/IEEE 12207 for software;
and processes, activities, tasks, and outcomes of ISO/IEC/IEEE 15288 for systems; and information
products (documentation) of ISO/IEC/IEEE 15289 for software and systems.
VSEs can achieve recognition through implementing a profile and by being audited against ISO/
IEC 29110 specifications.
ISO/IEC 29110 series of standards and technical reports can be applied at any phase of system or
software development within a lifecycle. This series of standards and technical reports is intended to
be used by VSEs that do not have experience or expertise in adapting/tailoring ISO/IEC/IEEE 12207 or
ISO/IEC/IEEE 15288 to the needs of a specific project. VSEs that have expertise in adapting/tailoring
ISO/IEC/IEEE 12207 or ISO/IEC/IEEE 15288 are encouraged to use those standards instead of ISO/
IEC 29110.
ISO/IEC 29110 is intended to be used with any lifecycles such as: waterfall, iterative, incremental,
evolutionary or agile.
Systems, in the context of ISO/IEC 29110, are typically composed of hardware and software components.
The ISO/IEC 29110 series, targeted by audience, has been developed to improve system or software
and/or service quality, and process performance. See Table 1.
vi © ISO/IEC 2018 – All rights reserved

Table 1 — ISO/IEC 29110 target audience
ISO/IEC 29110 Title Target audience
ISO/IEC 29110-1 Overview VSEs and their customers, assessors,
standards producers, tool vendors and
methodology vendors.
ISO/IEC 29110-2 Framework for profile Profile producers, tool vendors and
preparation methodology vendors.
Not intended for VSEs.
ISO/IEC 29110-3 Certification and assessment VSEs and their customers, assessors,
guidance accreditation bodies.
ISO/IEC 29110-4 Profile specifications VSEs, customers, standards producers,
tool vendors and methodology vendors.
ISO/IEC 29110-5 Management, engineering and VSEs and their customers.
service delivery guidelines
If a new profile is needed, ISO/IEC 29110-4 and ISO/IEC/TR 29110-5 can be developed without
impacting existing documents.
[5]
ISO/IEC TR 29110-1 defines the terms common to the ISO/IEC 29110 series. It introduces processes,
lifecycle and standardization concepts, the taxonomy (catalogue) of ISO/IEC 29110 profiles and the ISO/
IEC 29110 series. It also introduces the characteristics and needs of a VSE and clarifies the rationale for
specific profiles, documents, standards and guidelines.
ISO/IEC 29110-2 introduces the concepts for systems and software engineering profiles for VSEs. It
establishes the logic behind the definition and application of profiles. For standardized profiles, it
specifies the elements common to all profiles (structure, requirements, conformance, and assessment).
For domain-specific profiles (profiles that are not standardized and developed outside of the ISO
process), it provides general guidance adapted from the definition of standardized profiles.
ISO/IEC 29110-3 defines certification schemes, assessment guidelines and compliance requirements
for process capability assessment, conformity assessments, and self-assessments for process
improvements. ISO/IEC 29110-3 also contains information that can be useful to developers of
certification and assessment methods and developers of certification and assessment tools. ISO/
IEC 29110-3 is addressed to people who have direct involvement with the assessment process, e.g.
the auditor, certification and accreditation bodies and the sponsor of the audit, who need guidance on
ensuring that the requirements for performing an audit have been met.
ISO/IEC 29110-4-m provides the specification for all profiles in one profile group (a profile group may
contain a single profile or multiple profiles). A profile is specified in terms of requirements imported
from appropriate base standards.
ISO/IEC TR 29110-5-m provides management, engineering and service delivery guidelines for the
profiles in a profile group.
This document defines the process certification scheme, assessment guidelines and compliance
requirements needed to meet the purpose of the defined Profiles.
Figure 1 describes the ISO/IEC 29110 International Standards (IS) and Technical Reports (TR) and
positions the parts within the framework of reference. Overview, assessment guidelines, management
and engineering guidelines are available from ISO as freely available Technical Reports (TR). The
Framework document, profile specifications and certification schemes are published as International
Standards (IS).
© ISO/IEC 2018 – All rights reserved vii

Figure 1 — ISO/IEC 29110 series
viii © ISO/IEC 2018 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 29110-3-2:2018(E)
Systems and software engineering — Lifecycle profiles for
Very Small Entities (VSEs) —
Part 3-2:
Conformity certification scheme
1 Scope
This document:
— defines the rules applicable for certification of the implementation of systems engineering,
software engineering and service delivery processes complying with the requirements given in
ISO/IEC 29110-4-m, Profile specifications; and
— provides the necessary information and confidence to customers about the way certification of
their suppliers has been granted.
Certification of the implementation of systems and software engineering processes (named
“certification” in this document) is a third-party conformity assessment activity (see ISO/
IEC 17000:2004, 5.5). Bodies performing this activity are therefore third-party conformity assessment
bodies (named “certification body/bodies” in this document).
NOTE This document is primarily intended to be used as a criteria document for the accreditation or peer
assessment of certification bodies which seek to be recognized as being competent to certify that a Very Small
Entity (VSE) complies with ISO/IEC 29110-4-m, Profile Specifications. Some of its requirements could also be
found useful by any other parties involved in the conformity assessment of such certification bodies.
Systems and software engineering processes certification does not attest the fitness of the systems and
or software products offered by a VSE.
It is important to note that certification of the implementation of systems and software engineering
processes according to ISO/IEC 29110-4-m, Profile Specifications, is a process certification and not a
management systems certification neither a product certification.
Certification of the implementation of systems and software engineering processes (SEP) of a very
small entity (VSE) is one means of providing assurance that the VSE has implemented systems and
software engineering processes to the development or maintenance of systems and or software.
Requirements for the implementation of SEP can originate from a number of sources, and this
International Standard has been developed to assist in the certification of SEP that fulfil the
requirements of ISO/IEC 29110-4-m, Profile Specifications. The contents of this document can also be
used to support certification of SEP that are based on other sets of specified SEP requirements.
This document is intended for use by bodies that carry out audit and certification of SEP for VSEs. It
gives generic requirements for such certification bodies performing audit and certification in the field
of SEP for VSEs. Such bodies are referred to as certification bodies. This wording is not intended to be
an obstacle to the use of this document by bodies with other designations that undertake activities
covered by the scope of this document. Indeed, this document is intended to be usable by anyone
involved in the assessment of SEP for VSEs.
Certification activities involve the audit of a VSE’s SEP. The form of attestation of conformity of a VSE’s
SEP to a specific lifecycle profile standard setting the applicable SEP (for example ISO/IEC 29110-4-
1 or ISO/IEC 29110-4-3) or other specified requirements are normally a certification document or a
certificate.
© ISO/IEC 2018 – All rights reserved 1

This certification is outside the scope of ISO/IEC 29169 to the assessment to process quality
characteristics and organizational maturity, and does not cover the results of process assessment. ISO/
IEC 29110-3-3 describes such a scheme.
It is for the VSE being certified to develop its own processes (including ISO/IEC 29110-4-m SEP), other
sets of specified SEP requirements, other processes and it is for the VSE to decide how the various
components of these will be arranged. It is therefore for certification bodies that operate in accordance
with this document to take into account the culture and practices of their clients with respect to the
implementation of SEP, including, if applicable, within the wider organization.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 29110-2-1, Software engineering — Lifecycle profiles for Very Small Entities (VSEs) — Part 2-1:
Framework and taxonomy
ISO/IEC 17000, Conformity assessment — Vocabulary and general principles
ISO/IEC 17065:2012, Conformity assessment — Requirements for bodies certifying products, processes
and services
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 29110-2-1, ISO/IEC 17000,
ISO/IEC 17065:2012 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http: //www .electropedia .org/
— ISO Online browsing platform: available at https: //www .iso .org/obp
3.1
certification body
third-party conformity assessment body operating certification schemes
Note 1 to entry: A certification body can be non-governmental or governmental (with or without regulatory
authority).
[SOURCE: ISO/IEC 17065:2012]
3.2
client
organization that is responsible to a certification body for ensuring certification
requirements, including product requirements are fulfilled
[SOURCE: ISO/IEC 17065:2012, modified — Definition editorially revised and Note 1 to entry removed.]
4 Symbols and abbreviated terms
4.1 Abbreviated Terms
The following abbreviations are used in this document:
2 © ISO/IEC 2018 – All rights reserved

SEP Systems and Software Engineering Process
VSE Very Small Entity
5 General requirements
5.1 General
All the requirements given in ISO/IEC 17065:2012, Clause 4 apply.
5.2 Management of impartiality
The certification body and any part of the same legal entity shall not offer or provide systems and
software engineering processes consultancy.
The fact that the organization employing the auditor is known to have provided systems and software
engineering processes consultancy to the VSE, within two years following the end of the consultancy, is
likely to be considered as a high threat to impartiality.
6 Structural requirements
All the requirements given in of ISO/IEC 17065:2012, Clause 5 apply.
7 Resource requirements
7.1 Certification body personnel
7.1.1 General
All the requirements given in ISO/IEC 17065:2012, 6.1, apply.
Additionally, the certification body shall have processes to ensure that personnel have appropriate
knowledge relevant to the market in which it operates.
7.1.2 Management of competence for personnel involved in the certification process
All the requirements given in ISO/IEC 17065:2012, 6.1.2, apply.
7.1.3 Contract with the personnel
All the requirements given in of ISO/IEC 17065:2012, 6.1.3, apply.
7.1.4 Personal attributes
The certification body shall ensure that all personnel involved in the certification activities possess the
following personal attributes. The personnel shall be:
a) ethical, i.e. fair, truthful, sincere, honest and discreet;
b) open-minded, i.e. willing to consider alternative ideas or points of view;
c) diplomatic, i.e. tactful in dealing with people;
d) observant, i.e. actively observing physical surroundings and activities;
e) perceptive, i.e. aware of and able to understand situations;
© ISO/IEC 2018 – All rights reserved 3

f) versatile, i.e. able to readily adapt to different situations;
g) tenacious, i.e. persistent and focused on achieving objectives;
h) decisive, i.e. able to reach timely conclusions based on logical reasoning and analysis;
i) self-reliant, i.e. able to act and function independently whilst interacting effectively with others;
j) acting with fortitude, i.e. able to act responsibly and ethically, even though these actions may not
always be popular and may sometimes result in disagreement or confrontation; and
k) open to improvement, i.e. willing to learn from situations, and striving for better audit results.
7.1.5 Generic SEP competence requirements
7.1.5.1 General considerations
The certification body shall have processes to ensure that personnel have appropriate knowledge
relevant to SEP.
It shall determine the competence required for each technical area (as relevant for the specific
certification scheme) and for each function in the certification activity.
It shall determine the means for the demonstration of competence prior to carrying out specific
functions.
7.1.5.2 Personnel carrying out contract review
The certification body shall ensure that personnel carrying out contract review demonstrate the ability
to apply knowledge and skills in the following areas:
a) assessment of applicant products, processes and practices;
b) deployment of systems and software engineering processes for VSEs auditor competences and
requirements;
c) determination of audit time and duration requirements; and
d) certification body's policies and procedures related to contract review.
7.1.6 Competence requirements for Personnel granting certification
7.1.6.1 General
The certification body shall ensure that the personnel who take the decision on granting certification
have the same education, systems and software engineering processes training, audit training and
work experience as required for an auditor in one category.
7.1.6.2 Competences
The certification body shall ensure that personnel granting certification demonstrate the ability to
apply knowledge and skills in the following areas:
a) systems and software engineering processes standards or other documents used as audit criteria;
b) the application of systems and software engineering processes standards;
c) implementation of systems and software engineering processes and the ability to assess the
effectiveness of their implementation;
4 © ISO/IEC 2018 – All rights reserved

d) corrections and corrective actions to be taken with regards to systems and software engineering
processes;
e) laws and regulations relevant to systems and software engineering processes, in order to be able to
conduct an effective audit;
f) systems and software products, processes and practices;
g) relevant systems and software engineering processes requirements;
h) relevant standards;
i) assessment and review of an audit report for accuracy and completeness relevant systems and
software engineering processes requirements;
j) assessment and review of the effectiveness of corrective actions; and
k) the certification process.
7.1.7 Competence requirements for SEP auditors
7.1.7.1 General
All the requirements given in ISO 19011:2011, 5.4.7 c) apply.
The competences of auditors shall be recorded. The certification body shall provide evidence of a
successful evaluation of SEP auditors.
The certification body shall ensure that auditors demonstrate the ability to apply knowledge and skills
in the following areas.
7.1.7.2 Work experience
The certification body shall ensure that the auditor has relevant work experience in the systems and
software industry, including in systems and software development life cycle processes functions, within
systems and software development or maintenance, inspection or enforcement, or the equivalent.
7.1.7.3 Audit experience
The certification body shall ensure that the auditor has performed systems and software engineering
processes audits in organizations under the leadership of a qualified auditor.
For maintaining the qualification of the auditor, the certification body shall ensure that auditors have
all the necessary competences updated.
7.1.7.4 Audit principles, procedures and techniques
To enable the auditor to apply the principles, procedures and techniques as appropriate to different
audits and to ensure that audits are conducted in a consistent and systematic manner, an auditor shall
be able to:
a) apply audit principles, procedures and techniques;
b) plan and organize the work effectively;
c) conduct the audit within the agreed time schedule;
d) prioritize and focus on matters of significance;
e) collect information through effective interviewing, listening, observing and reviewing documents,
records and data;
© ISO/IEC 2018 – All rights reserved 5

f) understand the appropriateness and consequences of using sampling techniques for auditing;
g) verify the accuracy of collected information;
h) use work documents to record audit activities;
i) confirm the sufficiency and appropriateness of audit evidence to support audit findings and
conclusions;
j) assess those factors that can affect the reliability of the audit findings and conclusions;
k) prepare audit reports;
l) maintain the confidentiality and security of information; and
m) communicate effectively, either through personal linguistic skills or through an interpreter.
7.1.7.5 Systems and software engineering standards for VSE and normative documents
Personal involved in VSE SEP auditing shall have knowledge of:
a) relevant standards of 29110 family;
b) 29110 normative documents used in SEP and their application; and
d) 29110-4-m requirements and their application.
7.1.7.6 Systems and software engineering processes and reference documents
To enable the auditor to comprehend the scope of the audit and apply audit criteria, knowledge and
skills in this area shall cover:
a) the application of systems and software engineering processes in the development and maintenance
of systems and software in different organizations;
b) interaction between the components of systems and software engineering processes;
c) systems and software engineering processes standards, applicable procedures or other documents
used as audit criteria;
d) recognizing differences between, and the priority of, the reference documents;
e) application of the reference documents to different audit situations; and
f) information systems and technology for authorization, security, distribution and control of
documents, data and records.
7.1.7.7 Organizational situations
To enable the auditor to comprehend the organization's operational context, knowledge and skills in
this area shall cover:
a) organizational size, structure, functions and relationships;
b) general business processes and related terminology;
c) cultural and social customs of the auditee; and
d) the VSE SEP characteristics and context.
6 © ISO/IEC 2018 – All rights reserved

7.1.7.8 Applicable laws, regulations and other requirements relevant to the discipline
To enable the auditor to work within, and be aware of, the requirements that apply to the organization
being audited, knowledge and skills in this area shall cover:
a) local, regional and national codes, laws and regulations;
a) contracts and agreements; and
b) other requirements to which the organization subscribes.
7.1.7.9 Terminology, knowledge and skills in the following systems and software engineering
processes
The certification body shall ensure that auditors demonstrate the ability to apply terminology,
knowledge and skills in the following systems and software engineering processes:
a) methodologies used for implementation and management of systems and software engineering
processes and the ability to assess the effectiveness of this processes;
b) corrections and corrective actions to be taken with regards to systems and software engineering
processes;
c) laws and regulations relevant to the deliver and maintenance of systems and/or software in order
to be able to conduct an effective audit;
d) systems and/or software products, processes and practices of the sector;
e) relevant systems and software engineering processes requirements; and
f) relevant systems and software engineering processes standards.
NOTE It is not necessary for each individual to have the same competence, however the collective competence
of the group needs be sufficient to achieve the objective of these functions.
7.1.7.10 Selection of the audit team
The certification body shall ensure that the systems and software engineering processes audit team have
competences in the application of systems and software engineering processes required by the audit.
7.2 Resources for evaluation
All the requirements given in ISO/IEC 17065:2012, 6.2 apply.
8 Process requirements
8.1 General
All the requirements given in ISO/IEC 17065:2012, 7.1 apply.
8.2 Application
The certification body shall obtain all the necessary information to complete the certification process
in accordance with the relevant certification scheme.
NOTE 1 The following are examples of necessary information:
— the product(s) developed using the systems and software engineering processes;
— the standards and/or other normative documents for which the client is seeking certification (see 7.1.2);
© ISO/IEC 2018 – All rights reserved 7

— the general features of the client, including its name and the address(es) of its physical location(s), significant
aspects of its process and operations (if required by the relevant certification scheme), and any relevant legal
obligations;
— general information concerning the client, relevant to the field of certification for which the application is
made, such as the client's activities, its human and technical resources and its functions and relationship in a
larger corporation, if any;
— information concerning all outsourced processes used by the client that will affect conformity to requirements;
if the client has identified a legal entity/entities for delivering or developing parts of the systems and/or software
that is different from the client, then the certification body can establish appropriate contractual controls over
the legal entity/entities concerned, if necessary for effective surveillance; if such contractual controls are
needed, they can be established prior to providing formal certification documentation (see 8.7); and
— all other information needed in accordance with the relevant certification requirements, such as information
for initial evaluation and surveillance activities, e.g. the locations where the systems and/or software is
developed or maintained and contact personnel at these locations.
NOTE 2 A variety of media and mechanisms can be used to collect this information at various times, including
an application form. Such information gathering can be in conjunction with, or separate from, the completion of
the legally binding agreement (the certification agreement) specified in ISO/IEC 17065:2012, 4.1.2.
NOTE 3 Application for an extension of the certification scope could involve similar products, different
locations, etc.
8.3 Application review
All the requirements given in ISO/IEC 17065:2012, 7.3 apply.
8.4 Evaluation
8.4.1 Evaluation Plan
The evaluation plan shall be developed to clearly identify the audit activity(ies) required to demonstrate
that the client's systems and software engineering processes fulfils the requirements for certification
to the selected standard(s) within the ISO/IEC 29110-4-m series or other normative document(s).
The evaluation plan shall include a two-stage initial audit, surveillance audits in the first and second years,
and a recertification audit in the third year prior to expiration of certification. The three-year certification
cycle begins with the certification or recertification decision. The determination of the evaluation
plan and any subsequent adjustments shall consider the size of the client organization, the scope and
complexity of its systems and software engineering processes and products as well as demonstrated
level of software engineering processes effectiveness and the results of any previous audits.
NOTE Annex A lists additional items that can be considered when developing or revising an audit programme.
Where a certification body is taking account of certification or other audits already granted to the
client, it shall collect sufficient, verifiable information to justify and record any adjustments to the audit
programme.
8.4.2 Audit plan
8.4.2.1 General
The certification body shall ensure that an audit plan is established for each audit identified in the
evaluation plan to provide the basis for agreement regarding the conduct and scheduling of the audit
activities. This audit plan shall be based on documented requirements of the certification body.
8 © ISO/IEC 2018 – All rights reserved

8.4.2.2 Determining audit objectives, scope and criteria
The audit objectives shall be determined by the certification body according to the requirements of
applicable ISO/IEC 29110-4-m series. The audit scope and criteria, including any changes, shall be
established by the certification body after discussion with the client.
The audit objectives shall describe what is to be accomplished by the audit and shall include the
following:
a) determination of the conformity of the client's systems and software engineering processes with
audit criteria;
b) evaluation of the ability of the systems and software engineering processes to ensure the client
organization meets applicable contractual requirements; and
NOTE 1 A systems and software engineering processes certification audit is not a legal compliance audit.
c) as applicable, identification of areas for potential improvement of the systems and software
engineering processes.
The audit scope shall describe the extent and boundaries of the audit, such as physical locations,
organizational units, activities and processes to be audited. Where the initial or re-certification process
consists of more than one audit (e.g. covering different locations), the scope of an individual audit may
not cover the full certification scope, but the totality of audits shall be consistent with the scope in the
certification document.
NOTE 2 Annex A lists additional items that can be considered when preparing or revising the audit scope.
The audit criteria shall be used as a reference against which conformity is determined, and shall include:
— the requirements of ISO/IEC 29110-4-m standard or a defined normative document on systems and
software engineering processes; and
— the defined processes and documentation of the systems and software engineering processes
developed by the client.
8.4.2.3 Preparing the audit plan
The audit plan shall be appropriate to the objectives and the scope of the audit. The audit plan shall at
least include or refer to the following:
a) the audit objectives;
b) the audit criteria;
c) the audit scope, including identification of the organizational and functional units or processes to
be audited;
d) the dates and sites where the on-site audit activities are to be conducted, including visits to
temporary sites, as appropriate;
e) the expected time and duration of on-site au
...